Securing risky network ports

David Geer |
April 25, 2017

Is the issue with the port, the technology you use on it, or the technology attackers use on it?

Securing ports, and services and vulnerabilities

The enterprise can protect SSH by using SSH public key authentication, disabling logins as root, and moving SSH to a higher port number so that attackers won’t easily find it, says Widen. “If a user connects to SSH on a high port number like 25,000, it will be harder for the attackers to locate the attack surface for the SSH service,” says Widen.

If your enterprise runs IRC, keep it behind the firewall. “Don’t allow any traffic to the IRC service that came from outside the network. Have users VPN into the network to use IRC,” says Widen.

Repeated port numbers and especially long sequences of numbers rarely represent a legitimate use of ports. “When you see these ports in use, make sure they are genuine,” says Norby. Monitor and filter DNS to avoid exfiltration. And stop using Telnet and close port 23.

Security across all network ports should include defense-in-depth. Close any ports you don’t use, use host-based firewalls on every host, run a network-based next-generation firewall, and monitor and filter port traffic, says Norby. Do regular port scans as part of pen tests to ensure there are no unchecked vulnerabilities on any port. Pay particular attention to SOCKS proxies or any other service you did not set up. Patch and harden any device, software, or service connected to the port until there are no dents in your networked assets’ armor. Be proactive as new vulnerabilities appear in old and new software that attackers can reach via network ports.

Use the latest version of any service you support, configure it appropriately, and use strong passwords; access control lists can help you to limit who can connect to ports and services, says Muhl. “Test your ports and services often. When you have services such as HTTP and HTTPS that you can customize a lot, it is easy to misconfigure the service and accidentally introduce a vulnerability,” explains Muhl; “and change those default SNMP strings.”

Safe harbor for risky ports

Experts publish different lists of ports that carry significant risk based on varying criteria such as the type or severity of the threats attached to each port or the degree of vulnerability of the services on the given ports. No one list is a catch-all. For further investigation, you can start with lists from SANS.org, the internet SpeedGuide, and GaryKessler.net.